{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14540", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-11T12:12:04.086Z", "datePublished": "2025-12-13T04:31:22.143Z", "dateUpdated": "2026-04-08T16:38:10.684Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:10.684Z"}, "affected": [{"vendor": "userback", "product": "Userback", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status."}], "title": "Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1add8693-20df-431e-ad3b-b23322f1fa03?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/userback/tags/1.0.15/index.php#L148"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "jason carle"}], "timeline": [{"time": "2025-12-08T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-12T16:08:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:40.249133Z", "id": "CVE-2025-14540", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:48:23.159Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14540", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:40.249133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:41.288Z"}}], "cna": {"title": "Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure", "credits": [{"lang": "en", "type": "finder", "value": "jason carle"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "userback", "product": "Userback", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-08T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-12T16:08:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1add8693-20df-431e-ad3b-b23322f1fa03?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/userback/tags/1.0.15/index.php#L148"}], "descriptions": [{"lang": "en", "value": "The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:10.684Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14540", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:38:10.684Z", "dateReserved": "2025-12-11T12:12:04.086Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:22.143Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status."}], "id": "CVE-2025-14540", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:51.260", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userback/tags/1.0.15/index.php#L148"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1add8693-20df-431e-ad3b-b23322f1fa03?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:30:47.350606+00:00", "value": {"mitigation_remediation": ["Update the Userback plugin to the latest version (v1.0.16 or higher) to remove the missing authorization check.", "If an immediate upgrade is not possible, restrict the configuration page to administrator roles only using WordPress role management tools.", "Audit user role assignments to minimize the number of users with Subscriber or higher privileges, reducing the potential attack surface."], "summary": {"action": "Apply patch", "impact": "Unauthorized data exposure via missing authorization checks"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the Userback plugin version 1.0.15 or earlier are affected. The plugin can be found under the vendor name userback:Userback.", "description_and_impact": "The Userback WordPress plugin version 1.0.15 and earlier contains a missing capability check in the userback_get_json function. This flaw allows authenticated users who possess at least Subscriber privileges to retrieve the plugin\u2019s configuration data, including the Userback API access token, and the content of the site\u2019s posts and pages, even if those items are marked as private or draft. The weakness aligns with CWE-862 (Missing Authorization).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate overall impact. The EPSS score of less than 1% suggests the likelihood of exploitation at the time of analysis is very low, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is an authenticated user with Subscriber or higher privileges. The attacker can read configuration data and private content."}}}}, "created": "2025-12-14T21:14:54.181805+00:00", "updated": "2026-04-27T22:45:15.463965+00:00", "vendors": ["userback", "userback$PRODUCT$userback", "wordpress", "wordpress$PRODUCT$wordpress"]}